Documentation
¶
Index ¶
Constants ¶
const SigV4Support = "sigv4"
Variables ¶
This section is empty.
Functions ¶
func MockDataUploadServer ¶
MockDataUploadServer starts a server which mocks the CyberArk Discovery and Context API, and an HTTP client with the CA certs needed to connect to it.
The returned URL can be supplied to the `dataupload.New` function as the base URL for the discoverycontext API.
The returned HTTP client has a transport which logs requests and responses depending on log level of the logger supplied in the context.
The mock server will return a successful response when the cluster ID matches successClusterID. Other cluster IDs can be used to trigger various failure responses.
Types ¶
type CyberArkClient ¶
type CyberArkClient struct {
// contains filtered or unexported fields
}
func New ¶
func New(httpClient *http.Client, baseURL string, tenantUUID string, authenticateRequest identity.RequestAuthenticator) *CyberArkClient
New creates a new CyberArkClient. The tenant UUID is best sourced from service discovery along with the base URL.
func (*CyberArkClient) PutSnapshot ¶
func (c *CyberArkClient) PutSnapshot(ctx context.Context, snapshot Snapshot) error
PutSnapshot PUTs the supplied snapshot to an [AWS presigned URL] which it obtains via the CyberArk inventory API. [AWS presigned URL]: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
A SHA256 checksum header is included in the request, to verify that the payload has been received intact. Read [Checking object integrity for data uploads in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity-upload.html), to learn more.
type RetrievePresignedUploadURLRequest ¶ added in v1.9.0
type RetrievePresignedUploadURLRequest struct {
ClusterID string `json:"cluster_id"`
Checksum string `json:"checksum_sha256"`
// AgentVersion is the v-prefixed version of the agent uploading the snapshot.
// Note that some versions of the backend rely on this version being v-prefixed semver,
// but that requirement was dropped in favour of the SigV4Support field below.
AgentVersion string `json:"agent_version"`
// FileSize is the size of the data we'll upload in bytes
FileSize int64 `json:"file_size"`
// SignatureVersion allows the agent to specify which version of AWS's signature scheme it expects for the presigned URL.
// Older versions of the agent will not send this. All versions which support this field will unconditionally set it to the
// value of SigV4Support, so the backend can rely on this field being set.
SignatureVersion string `json:"signature_version"`
}
RetrievePresignedUploadURLRequest is the JSON body sent to the inventory API to request a presigned upload URL.
type Snapshot ¶
type Snapshot struct {
// AgentVersion is the version of the Venafi Kubernetes Agent which is uploading this snapshot.
AgentVersion string `json:"agent_version"`
// ClusterID is the unique ID of the Kubernetes cluster which this snapshot was taken from.
ClusterID string `json:"cluster_id"`
// ClusterName is the name of the Kubernetes cluster which this snapshot was taken from.
ClusterName string `json:"cluster_name"`
// ClusterDescription is an optional description of the Kubernetes cluster which this snapshot was taken from.
ClusterDescription string `json:"cluster_description,omitempty"`
// K8SVersion is the version of Kubernetes which the cluster is running.
K8SVersion string `json:"k8s_version"`
// OIDCConfig contains OIDC configuration data from the API server's
// `/.well-known/openid-configuration` endpoint
OIDCConfig map[string]any `json:"openid_configuration,omitempty"`
// OIDCConfigError contains any error encountered while fetching the OIDC configuration
OIDCConfigError string `json:"openid_configuration_error,omitempty"`
// JWKS contains JWKS data from the API server's `/openid/v1/jwks` endpoint
JWKS map[string]any `json:"jwks,omitempty"`
// JWKSError contains any error encountered while fetching the JWKS
JWKSError string `json:"jwks_error,omitempty"`
// Secrets is a list of Secret resources in the cluster. Not all Secret
// types are included and only a subset of the Secret data is included.
Secrets []runtime.Object `json:"secrets"`
// ServiceAccounts is a list of ServiceAccount resources in the cluster.
ServiceAccounts []runtime.Object `json:"serviceaccounts"`
// ConfigMaps is a list of ConfigMap resources in the cluster.
ConfigMaps []runtime.Object `json:"configmaps"`
// ExternalSecrets is a list of ExternalSecret resources in the cluster.
ExternalSecrets []runtime.Object `json:"externalsecrets"`
// SecretStores is a list of SecretStore resources in the cluster.
SecretStores []runtime.Object `json:"secretstores"`
// ClusterExternalSecrets is a list of ClusterExternalSecret resources in the cluster.
ClusterExternalSecrets []runtime.Object `json:"clusterexternalsecrets"`
// ClusterSecretStores is a list of ClusterSecretStore resources in the cluster.
ClusterSecretStores []runtime.Object `json:"clustersecretstores"`
// Roles is a list of Role resources in the cluster.
Roles []runtime.Object `json:"roles"`
// ClusterRoles is a list of ClusterRole resources in the cluster.
ClusterRoles []runtime.Object `json:"clusterroles"`
// RoleBindings is a list of RoleBinding resources in the cluster.
RoleBindings []runtime.Object `json:"rolebindings"`
// ClusterRoleBindings is a list of ClusterRoleBinding resources in the cluster.
ClusterRoleBindings []runtime.Object `json:"clusterrolebindings"`
// Jobs is a list of Job resources in the cluster.
Jobs []runtime.Object `json:"jobs"`
// CronJobs is a list of CronJob resources in the cluster.
CronJobs []runtime.Object `json:"cronjobs"`
// Deployments is a list of Deployment resources in the cluster.
Deployments []runtime.Object `json:"deployments"`
// Statefulsets is a list of StatefulSet resources in the cluster.
Statefulsets []runtime.Object `json:"statefulsets"`
// Daemonsets is a list of DaemonSet resources in the cluster.
Daemonsets []runtime.Object `json:"daemonsets"`
// Pods is a list of Pod resources in the cluster.
Pods []runtime.Object `json:"pods"`
}
Snapshot is the JSON that the CyberArk Discovery and Context API expects to be uploaded to the AWS presigned URL.
Source Files